CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.

The following issues are fixed by this update :

  - CVE-2012-5519: privilege escalation via cross-site     scripting and bad print job submission used to replace     cupsd.conf on server (bsc#924208).

  - CVE-2015-1158: Improper Update of Reference Count

  - CVE-2015-1159: Cross-Site Scripting

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following issues :

  - CVE-2015-1158 and CVE-2015-1159 fixes a possible     privilege escalation via cross-site scripting and bad     print job submission used to replace cupsd.conf on     server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158     CVE-2015-1159 bugzilla.suse.com bsc#924208). In general     it is crucial to limit access to CUPS to trustworthy     users who do not misuse their permission to submit print     jobs which means to upload arbitrary data onto the CUPS     server, see     https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_setti     ngs and cf. the entries about CVE-2012-5519 below.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert change to whitelist /rss/ resources, as this was     not used upstream.

  - More STR #4461 fixes from upstream: make rss feeds     world-readable, but cachedir private.

  - Fix icon display in web interface during server restart     (STR #4475).

  - Fixes for upstream patch for STR #4461: allow /rss/     requests for files we created.

  - Use upstream patch for STR #4461.

  - Applied upstream patch to fix CVE-2014-5029 (bug     #1122600), CVE-2014-5030 (bug #1128764), CVE-2014-5031     (bug #1128767).

  - Fix conf/log file reading for authenticated users (STR     #4461).

  - Fix CGI handling (STR #4454, bug #1120419).

  - fix patch for CVE-2014-3537 (bug #1117794)

  - CVE-2014-2856: cross-site scripting flaw (bug #1117798)

  - CVE-2014-3537: insufficient checking leads to privilege     escalation (bug #1117794)

  - Removed package description changes.

  - Applied patch to fix 'Bad request' errors as a result of     adding in httpSetTimeout (STR #4440, also part of svn     revision 9967).

  - Fixed timeout issue with cupsd reading when there is no     data ready (bug #1110045).

  - Fixed synconclose patch to avoid 'too many arguments for     format' warning.

  - Fixed settimeout patch to include math.h for fmod     declaration.

  - Fixed typo preventing web interface from changing driver     (bug #1104483, STR #3601).

  - Fixed SyncOnClose patch (bug #984883).

  - Use upstream patch to avoid replaying GSS credentials     (bug #1040293).

  - Prevent BrowsePoll problems across suspend/resume (bug     #769292) :

  - Eliminate indefinite wait for response (svn revision     9688).

  - Backported httpSetTimeout API function from CUPS 1.5 and     use it in the ipp backend so that we wait indefinitely     until the printer responds, we get a hard error, or the     job is cancelled.

  - cups-polld: reconnect on error.

  - Added new SyncOnClose directive to use fsync after     altering configuration files: defaults to 'Yes'. Adjust     in cupsd.conf (bug #984883).

  - Fix cupsctl man page typo (bug #1011076).

  - Use more portable rpm specfile syntax for conditional     php building (bug #988598).

  - Fix SetEnv directive in cupsd.conf (bug #986495).

  - Fix 'collection' attribute sending (bug #978387).

  - Prevent format_log segfault (bug #971079).

  - Prevent stringpool corruption (bug #884851).

  - Don't crash when job queued for printer that times out     (bug #855431).

  - Upstream patch for broken multipart handling (bug     #852846).

  - Install /etc/cron.daily/cups with correct permissions     (bug #1012482).

  - Fixes for jobs with multiple files and multiple formats     (bug #972242).

  - Applied patch to fix CVE-2012-5519 (privilege escalation     for users in SystemGroup or with equivalent polkit     permission). This prevents HTTP PUT requests with paths     under /admin/conf/ other than that for cupsd.conf, and     also prevents such requests altering certain     configuration directives such as PageLog and FileDevice     (bug #875898).

The remote host is affected by the vulnerability described in GLSA-201404-01 (CUPS: Arbitrary file read/write)

    Members of the lpadmin group have admin access to the web interface,       where they can       edit the config file and set some &ldquo;dangerous&rdquo; directives (like the       logfilenames), which enable them to read or write files as the user       running       the CUPS webserver.
  Impact :

    A local attacker could possibly exploit this vulnerability to read or       write files as the user running the CUPS webserver.
  Workaround :

    There is no known workaround at this time.

The following security issue has been fixed in the CUPS print daemon CVE-2012-5519: The patch adds better default protection against misuse of privileges by normal users who have been specifically allowed by root to do cupsd configuration changes

The new ConfigurationChangeRestriction cupsd.conf directive specifies the level of restriction for cupsd.conf changes that happen via HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface or via the cupsctl command).

By default certain cupsd.conf directives that deal with filenames, paths, and users can no longer be changed via requests to the running cupsd but only by manual editing the cupsd.conf file and its default file permissions permit only root to write the cupsd.conf file.

Those directives are: ConfigurationChangeRestriction, AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FileDevice, FontPath, Group, LogFilePerm, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, StateDir, SystemGroup, SystemGroupAuthKey, TempDir, User.

The default group of users who are allowed to do cupsd configuration changes via requests to the running cupsd (i.e. the SystemGroup directive in cupsd.conf) is set to 'root' only.

Additionally the following bug has been fixed :

  - strip trailing '@REALM' from username for Kerberos     authentication (CUPS STR#3972 bnc#827109)

It was discovered that CUPS administrative users (members of the SystemGroups groups) who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the privileges of the CUPS daemon, possibly allowing them to run arbitrary code with root privileges.
(CVE-2012-5519)

After installing this update, the ability to change certain CUPS configuration directives remotely will be disabled by default. The newly introduced ConfigurationChangeRestriction directive can be used to enable the changing of the restricted directives remotely.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-0580 advisory.

    - Fix for CVE-2012-5519 patch: handle blacklisted lines that have no       value part gracefully.
    - Added documentation for new CVE-2012-5519 option.
    - Applied patch to fix CVE-2012-5519 (privilege escalation for users       in SystemGroup or with equivalent polkit permission).  This prevents       HTTP PUT requests with paths under /admin/conf/ other than that for       cupsd.conf, and also prevents such requests altering certain       configuration directives such as PageLog and FileDevice (bug #875898).

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.8 that is older than 10.8.4. The newer version contains numerous security-related fixes :

  - A local security-bypass vulnerability exists that affects the Disk Management component. The issue can be exploited by an unauthorized attacker to disable FileVault using the command-line. (CVE-2013-0985)

  - A security-bypass vulnerability in SMB file sharing can occur whereby an authenticated attacker can write files outside the shared directory. (CVE-2013-0990)

  - A remote buffer-overflow vulnerability exists when handling certain PICT images. (CVE-2013-0975)

  - A security-bypass vulnerability exists whereby an attacker with access to a user's session may be able to log into previously accessed sites. An attacker can exploit this issue even if Private Browsing was used. (CVE-2013-0982)

  - A remote-code execution issue affects the text glyphs because of an unbounded stack allocation when handling maliciously crafted URLs. (CVE-2013-0983)

  - A remote-code execution vulnerability exists due to improper handling of text tracks. (CVE-2013-1024)

  - A buffer-overflow vulnerability exists in the Directory Service daemon that can be exploited via a specially crafted network message. (CVE-2013-0984)

The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.4. The newer version contains multiple security-related fixes for the following components :

  - CFNetwork
  - CoreAnimation
  - CoreMedia Playback
  - CUPS
  - Disk Management
  - OpenSSL
  - QuickDraw Manager
  - QuickTime
  - SMB

According to its banner, the version of CUPS installed on the remote host is earlier than 1.6.2. It is, therefore, potentially affected by the following vulnerabilities :

  - Permissions on the file '/var/run/cups/certs/0' could     allow access to CUPS administration interface     authentication key material and thus, the interface     itself with admin rights. Additionally, users with admin     rights can edit the configuration file and specify     malicious commands that are then carried out with root     user permissions. (CVE-2012-5519)

  - Multiple errors exist related to the functions     'ippEnumString', 'ippReadIO', 'set_time',     'load_request_root' and 'http_resolve_cb' that could     allow denial of service attacks.

Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems.

It was discovered that CUPS administrative users (members of the SystemGroups groups) who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the privileges of the CUPS daemon, possibly allowing them to run arbitrary code with root privileges.
(CVE-2012-5519)

After installing this update, the ability to change certain CUPS configuration directives remotely will be disabled by default. The newly introduced ConfigurationChangeRestriction directive can be used to enable the changing of the restricted directives remotely. Refer to Red Hat Bugzilla bug 875898 for more details and the list of restricted directives.

All users of cups are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the cupsd daemon will be restarted automatically.

It was discovered that CUPS administrative users (members of the SystemGroups groups) who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the privileges of the CUPS daemon, possibly allowing them to run arbitrary code with root privileges.
(CVE-2012-5519)

After installing this update, the ability to change certain CUPS configuration directives remotely will be disabled by default. The newly introduced ConfigurationChangeRestriction directive can be used to enable the changing of the restricted directives remotely.

After installing this update, the cupsd daemon will be restarted automatically.

This update addresses two security issues :

  - CVE-2012-5519 (privilege escalation for users for the     CUPS SystemGroup group or via polkit) is fixed by moving     certain configuration keywords into a separate file,     cups-files.conf, which cannot be modified by cupsd.

  - CVE-2012-6094 (configuration issue with IPv4 vs IPv6)     has been fixed by dropping support for systemd socket     activation via IP sockets.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update addresses CVE-2012-5519 by moving certain configuration keywords into a separate file, cups-files.conf, which cannot be modified by cupsd.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that users of the CUPS printing system who are part of the lpadmin group could modify several configuration parameters with security impact. Specifically, this allows an attacker to read or write arbitrary files as root which can be used to elevate privileges.

This update splits the configuration file /etc/cups/cupsd.conf into two files: cupsd.conf and cups-files.conf. While the first stays configurable via the web interface, the latter can only be configured by the root user. Please see the updated documentation that comes with the new package for more information on these files.

A vulnerability was discovered and corrected in cups :

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface (CVE-2012-5519).

The updated packages have been patched to correct this issue.

It was discovered that users in the lpadmin group could modify certain CUPS configuration options to escalate privileges. An attacker could use this to potentially gain root privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119966	SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-2)	Nessus	SuSE Local Security Checks	critical
119965	SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-1)	Nessus	SuSE Local Security Checks	critical
84184	openSUSE Security Update : cups (openSUSE-2015-418)	Nessus	SuSE Local Security Checks	critical
84145	SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2015:1041-1)	Nessus	SuSE Local Security Checks	critical
79550	OracleVM 3.3 : cups (OVMSA-2014-0035)	Nessus	OracleVM Local Security Checks	high
73390	GLSA-201404-01 : CUPS: Arbitrary file read/write	Nessus	Gentoo Local Security Checks	high
70842	SuSE 11.2 / 11.3 Security Update : CUPS (SAT Patch Numbers 8436 / 8437)	Nessus	SuSE Local Security Checks	high
69729	Amazon Linux AMI : cups (ALAS-2013-170)	Nessus	Amazon Linux Local Security Checks	high
68766	Oracle Linux 5 / 6 : cups (ELSA-2013-0580)	Nessus	Oracle Linux Local Security Checks	high
801016	Mac OS X 10.8 < 10.8.4 Multiple Vulnerabilities (Security Update 2013-002)	Log Correlation Engine	Operating System Detection	high
6857	Mac OS X 10.8 < 10.8.4 Multiple Vulnerabilities (Security Update 2013-002)	Nessus Network Monitor	Web Clients	critical
66808	Mac OS X 10.8.x < 10.8.4 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
65970	CUPS < 1.6.2 Multiple Vulnerabilities	Nessus	Misc.	high
65031	CentOS 5 / 6 : cups (CESA-2013:0580)	Nessus	CentOS Local Security Checks	high
64963	Scientific Linux Security Update : cups on SL5.x, SL6.x i386/x86_64 (20130228)	Nessus	Scientific Linux Local Security Checks	high
64944	RHEL 5 / 6 : cups (RHSA-2013:0580)	Nessus	Red Hat Local Security Checks	high
64882	Fedora 17 : cups-1.5.4-18.fc17 (2012-19606)	Nessus	Fedora Local Security Checks	high
63482	Fedora 18 : cups-1.5.4-20.fc18 (2012-19301)	Nessus	Fedora Local Security Checks	high
63385	Debian DSA-2600-1 : cups - privilege escalation	Nessus	Debian Local Security Checks	high
63257	Mandriva Linux Security Advisory : cups (MDVSA-2012:179)	Nessus	Mandriva Local Security Checks	high
63163	Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : cups, cupsys vulnerability (USN-1654-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2012-5519

high

Tenable Plugins

critical

critical

critical

critical

high

high

high

high

high

high

critical

high

high

high

high

high

high

high

high

high

high